The insider threat guide

Five security experts explain the different types of insider threats businesses may face and how to protect against them

20th July 2018

When we think of cybercriminals or breaches, most of us think of external hackers or cybercriminals that are attempting to break into the company network or cloud, and steal sensitive data. What we don’t think of is the threat that is already likely in the company building, that has access to sensitive data and might be abusing their rights. This is the insider threat – a multi-faceted risk to company data that often slips under the radar. But the insider threat is important to be aware of, and important to defend against.

Below, five security experts go into detail about the different types of insider threat organisations are likely to face, and how to defend against each.

Nir Polak, CEO at Exabeam, gives a broad overview of the insider threat and how to defend against it:

“There are actually two types of insider threats. One fits the common definition, i.e. a malicious insider who is purposely stealing data. The other type is the compromised insider, i.e. the insider whose credentials have been stolen and now a hacker is impersonating that insider on the network. Both types of insider threats can cause harm. In either case, one of the most formidable threats often comes from administrators with privileged credentials. This person’s job often requires access to sensitive systems, so it can be difficult to distinguish between normal sensitive access and risky sensitive access.

To secure sensitive data, organisations need to start by asking a series of questions internally to clearly define policies and best practices: what are the policies we need? Who should be able to access which data? What access controls should be in place around information or systems?

Policies can be as straightforward as ’employees shouldn’t have more access to confidential data than their current job requires’ and then implementing a program to review access on a regular basis. Too often employees accumulate access rights that aren’t revoked when they move to new projects.”

Jan van Vliet, Head of EMEA at Digital Guardian goes into detail about the accidental insider:
“Employers must be cautious of the accidental insider threat. Employees present a great risk to internal data, even with data classification and access controls in place. IT teams must take a risk-based approach to their employees, and audit them on the level of risk that they present to company data. Some employees will present a greater risk than others. For example, employees with network administrator credentials pose a far higher risk than those with local user access. Employees in the finance department, on the other hand, may make a tempting target for cyber criminals due to the lucrative data that they process. By understanding which employees present a higher risk to data and tailoring defences accordingly, IT teams dramatically reduce the threat associated with insiders.”

Steve Armstrong, Regional Director UK, Ireland and South Africa at Bitglass, discusses the malicious insider:
“Often described as malicious insiders, rogue employees are individuals that intentionally set out to steal company data; this may be done out of a desire for vengeance, profit, or even a competitor’s benefit. A high profile example can be found with the 2015 case of a Mercedes engineer that stole highly sensitive data in order to give it to his new employer, Ferrari. Unfortunately, insiders with malicious intent have an upper hand when it comes to data theft – they have legitimate credentials that will bypass the majority of their organisations’ security features. If such an individual holds a senior or administrative role, she or he may even have unfettered access to an organisation’s most sensitive data.

Reactive tools that rely upon humans to manually analyse threats are incapable of protecting data in the high-speed era of the cloud. As such, automated security solutions are vital for businesses today. These kinds of tools employ machine learning so that they can identify malicious or suspicious behaviours as they take place; for example, when a user suddenly downloads an unusually large amount of data or accesses sensitive information outside of normal working hours. These tools use an analytical, real-time approach in order to uncover threatening behaviour and take corrective actions as needed.”

Steve Wainwright, Managing Director, EMEA at Skillsoft focuses on the compromised insider:“Social engineering attacks are a go-to method for hackers. They rely on unwitting, unsuspecting and, at times, careless employees. A recent PositiveTechnologies study found that more than one in ten employees fall for this type of attack. Social engineering attacks work by using psychological manipulation. Hackers use information gained on social media or the dark web to build a profile of a person, and then pose as someone they might know via email. They might then encourage their victim to click on a link or download a file that contains malware.

The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks. Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”

Tom Harwood, Co-Founder and CPO at Aeriandi discusses the potent risk of insider threats in the contact centre:
“Contact centres are as vulnerable to human error as any other area of a business and accidental data leaks can result from negligence or poor data protection practices. The sensitivity of the contact centre role can also attract the attention of criminals who may try to engineer access to valuable customer data. There is the possibility – however unlikely – that individuals may choose to commit fraud. A traditionally high turnover of staff makes contact centres susceptible to disgruntled employees who may have insider knowledge into customer verification processes or security flaws. When customer payment data is taken over the phone, call archives are full of sensitive customer data such as payment details, passwords and security question answers. When these archives are leaked – either intentionally or by accident – criminals can use the data to commit a range of financial crimes, from online identity theft to major bank fraud.

Leaking customer payment details will have a damaging impact on the organisation’s reputation. When the leak is identified it can be difficult to effectively communicate the breach to customers to advise them to change their security details. The leak may not be identified for some time and many customers may already have been impacted. The organisation may also face legal action for breach of data protection regulations.

The best way for organisations to protect customer data from an insider threat is by making sure payment details never enter the contact centre environment from the outset. Implementing this system removes the potential for both malicious and non-malicious threats. With no card data being stored, processed or transmitted through the systems, criminals cannot steal sensitive data and employees are not required to manage customer payment details. Instead, payments are routed via a secure payment platform. This means that agents can see the transaction is taking place but crucially have no visibility of customer data. With no sensitive data taken, processed or stored on site, the insider threat is completely removed. Organisations can implement these systems while maintaining employee trust, as they protect the agents themselves from potential criminal coercion and human error. They can also be used as a way to boost customer confidence in the company’s data management capability.”

Luke Brown, VP EMEA at WinMagic explains the importance of encryption in defending against the insider threat:

“To effectively protect against insider threats, whether it’s malicious or simply unplanned user error, sensitive data should only be viewable by authorised personnel. Encryption is often (and quite rightly) viewed as the last line of defence when it comes to data security. Authorising only those users who are meant to see the data – giving them the correct encryption keys and appropriate access rights to encrypted files, folders and containers – ensures anyone else is unable to access the data. But encryption needs a wide purview; data needs to be kept under lock and key no matter where it is – on an endpoint, data-centre or in the cloud. Users are the one constant, inevitable challenge in securing data, so taking a cross-platform, ubiquitous approach to encryption is the only answer.”

Whilst the insider threat may seem daunting and tricky to defend again, by investing in the proper tools and cultivating a company culture that values security, organisations can ensure that their data and company remains safe from insider threats.

Want to know more about insider threats? Listen to our two part podcast panel on the topic or read our interview with the founder of Cyber Alliance Management.